How to block POST requests?

Rt Ibmer rtibmx at
Wed May 21 07:03:02 MSD 2008


>>## Only allow GET and HEAD request methods
>>      if ($request_method !~ ^(GET|HEAD)$ ) {
>>         return 444;
>>      }

Regarding the above - no one should ever do a POST operation to our site.  However since the above check can slow things down a tad (someone said as much as 15% compared to other methods), I was thinking to instead simply use:

   client_max_body_size 1k 1k;

Well, I will use that in any event. However I'm wondering then if the request_method check above is then even worth it.  If someone is going to use POST the most they could do is 1KB so perhaps the large_client_header_buffer is enough protection for that and not worth adding slight overhead on the request_type check. What do you think?

Also I am trying to see if I understand something properly from your excellent website article... If I use this:
   large_client_header_buffers 2 4k;

Does that mean that a request URI that comes in can be up to 8KB in size.  Or does it mean it can only be up to 4kb? I was a bit confused by the text for this on your site.  You said "is the limit of the URI request line
which can not be larger then the size of ***ONE*** buffer.  I wasn't sure if you meant one buffer because that is what you were using in your example, or it is indeed limited to one?

In our case most of the query strings we get will be small.  However some can be up to 4-6KB in size.  What do you recommend - using ..._buffers 2 4k; or ..._buffers 1 8k;  etc?



More information about the nginx mailing list